W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2012

Re: [whatwg] File based permission files?

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Jun 2012 21:27:18 +0000 (UTC)
To: whatwg@whatwg.org
Message-ID: <Pine.LNX.4.64.1206132124120.30734@ps20323.dreamhostps.com>
On Wed, 25 Apr 2012, Tyler Larson wrote:
>
> While working with the canvas tag when you want to edit pixel data 
> within an image loaded from another server you need to have these images 
> served from a web server with cross origin resource sharing headers. 
> http://www.w3.org/TR/cors/
> 
> This means every web server around the internet will need to be 
> reconfigured to output these headers for each asset they want to give 
> access to. As you can see from threads like this 
> https://forums.aws.amazon.com/thread.jspa?threadID=34281 host don't want 
> to change the way they serve files. Reconfiguring most web servers is 
> out of the question for a majority of situations.

This provides a competitive environment where hosting providers can cater 
to authors who need CORS headers.


> The flash player has similar security concerns, you can not load an 
> image from another server and edit its pixel information without a 
> crossdomain.xml file. This system has been in place so long that most 
> companies have these files already in place and are usually giving 
> access to all assets on their servers.
> 
> http://www.google.com/crossdomain.xml
> http://www.apple.com/crossdomain.xml
> http://www.yahoo.com/crossdomain.xml
> http://www.adobe.com/crossdomain.xml

Given the number of security problems this has caused, I do not think we 
should go down this route.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 June 2012 21:27:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:43 UTC